Your CRM Is a Goldmine. Attackers Already Know.

When most security teams build their data protection strategy, the CRM is not at the top of the list. Email gets the controls. File storage gets the controls. The endpoint gets the controls. The CRM is the system the sales and customer support teams use, and the assumption is that it is mostly contact information. 

That assumption is wrong, and 2026 is the year the bill is coming due. 

In the last twelve months, Shiny Hunters and adjacent extortion groups have systematically targeted Salesforce instances across the Fortune 500. Charter. Google. Cisco. Qantas. Air France. Dozens more. The Charter breach alone exposed 4.9 million records (independently verified by Have I Been Pwned), including approximately 85,000 employee records. The attackers claim 42 million. The full number will shake out in the coming weeks.

Episode 75 of CyberSide Chats walked through how this category of attack works, why it is accelerating, and what to do about it. Five takeaways. 

1. Watch your CRM as carefully as your email.Microsoft 365 and Google Workspace get DLP, monitoring, and conditional access policies as a matter of course. Salesforce gets none of those at most organizations. Salesforce has DLP available. Most customers are not using it.
2. Lock down who can log in.Almost everyCRM breach this year started with a compromised or socially engineered login. Charter was a single voice phishing call to a help desk. SalesLoft was a developer account compromise. Strong phishing-resistant MFA and identity verification at the help desk would have stopped most of these. 
3. Apply leastprivilegeruthlessly. Does every member of your sales team need access to every customer record? Almost certainly not. Limit access. Limit the blast radius. The Salesforce experience cloud breaches that hit Aura, Pandora, and others involved guest accounts that were dramatically over-permissioned. 
4. Inventory your connected apps and OAuth tokens.The SalesLoft/Drift incident gave attackers OAuth tokens that led to over 760 Salesforce instances. Gainsight became the second-degree compromise that hit another 200 organizations. One developer breach cascaded intonearly 1,000 customer compromises. Vet every connected app, and review the existing ones. 
5. Watch the exits, not just the entrances.This is the takeaway most security teamsunderweight. Someone with trusted access just exfiltrated 4.9 million records from Charter. The export was almost certainly visible somewhere in the logs. Almost nobody is monitoring for that volume of egress from a CRM. Add CRM exfiltration to your SIEM. Cap bulk export. Make bells and whistles go off when a single account pulls more data than that account should ever need to. 

The honest summary. 

None of these takeaways are revolutionary. They are the same identity, least privilege, monitoring, and DLP principles security teams have applied to email and file storage for fifteen years. The reason CRM breaches are accelerating right now is not that attackers got smarter. It is that defenders have not yet applied the basics to a system that turns out to hold some of the most sensitive data in the company. 

Apply the basics. The breaches stop being inevitable.